Bug 1523481 (CVE-2017-15126) - CVE-2017-15126 kernel: Use-after-free in userfaultfd_event_wait_completion function in userfaultfd.c
Summary: CVE-2017-15126 kernel: Use-after-free in userfaultfd_event_wait_completion fu...
Status: CLOSED ERRATA
Alias: CVE-2017-15126
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20171205,repor...
Keywords: Security
Depends On: 1695806 1476833 1519800 1536935 1536936 1545038 1545039 1695805
Blocks: 1518303
TreeView+ depends on / blocked
 
Reported: 2017-12-08 06:07 UTC by Wade Mealing
Modified: 2019-06-13 09:44 UTC (History)
46 users (show)

(edit)
A flaw was found in the Linux kernel's handling of fork failure when dealing with event messages in the userfaultfd code. Failure to fork correctly can create a fork event that will be removed from an already freed list of events.
Clone Of:
(edit)
Last Closed: 2019-06-08 03:32:51 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0676 None None None 2018-04-10 08:13 UTC
Red Hat Product Errata RHSA-2018:1062 None None None 2018-04-10 09:37 UTC

Description Wade Mealing 2017-12-08 06:07:46 UTC
A flaw was found in the Linux kernels handling of fork failure when dealing with event messages in the userfaultfd code.  Failure to fork correctly can lead to a situation where a fork event will be removed from an already freed list of events with  userfaultfd_ctx_put().  The userfault events are part of the slab cache, and the secondary free could only free other event list objects as the free mechanism uses the underlying kmem_cache_* implementation making generic use-after-free style attacks less effective.  

While technically a use after free style flaw, at this time Red Hat Product security believes this flaw to be difficult to exploit but this may change in the future.


From the commit:

When reading the event from the uffd, we put it on a temporary
fork_event list to detect if we can still access it after releasing and
retaking the event_wqh.lock.

If fork aborts and removes the event from the fork_event all is fine as
long as we're still in the userfault read context and fork_event head is
still alive.

We've [forgotten] to put the event allocated in the fork kernel stack, back from
fork_event list-head to the event_wqh head, before returning from
userfaultfd_ctx_read, because the fork_event head lifetime is limited to
the userfaultfd_ctx_read stack lifetime.

Forgetting to move the event back to its event_wqh place then results in
__remove_wait_queue(&ctx->event_wqh, &ewq->wq); in
userfaultfd_event_wait_completion to remove it from a head that has been
already freed from the reader stack.

This could only happen if resolve_userfault_fork failed (for example if
there are no file descriptors available to allocate the fork uffd).  If
it succeeded it was put back correctly.

Furthermore, after find_userfault_evt receives a fork event, the forked
userfault context in fork_nctx and uwq->msg.arg.reserved.reserved1 can
be released by the fork thread as soon as the event_wqh.lock is
released.  Taking a reference on the fork_nctx before dropping the lock
prevents an use after free in resolve_userfault_fork().

If the fork side aborted and it already released everything, we still
try to succeed resolve_userfault_fork(), if possible.
-- end ---

References:

https://marc.info/?t=150351212000001&r=1&w=2

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=384632e67e0829deb8015ee6ad916b180049d252

Comment 1 Wade Mealing 2017-12-08 06:40:38 UTC
Acknowledgments:

Name: Andrea Arcangeli (Red Hat Engineering)

Comment 3 Wade Mealing 2018-01-22 05:12:45 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6.

This issue affects the Linux kernel packages as shipped with Red Hat
Enterprise Linux 7, realtime, MRG-2 prior to version kernel-3.10.0-781.

The kernel-alt package already as shipped contains this fix.

Comment 8 Wade Mealing 2018-02-14 05:56:48 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1545039]

Comment 9 Justin M. Forbes 2018-02-14 14:32:19 UTC
This was fixed for Fedora with the 4.14.13 stable kernel updates.

Comment 10 Justin M. Forbes 2018-02-14 14:35:15 UTC
Also, the commit in the first comment is only a partial fix, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0cbb4b4f4c44f54af268969b18d8deda63aded59 finishes the job

Comment 11 errata-xmlrpc 2018-04-10 08:13:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676

Comment 12 errata-xmlrpc 2018-04-10 09:37:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062


Note You need to log in before you can comment on or make changes to this bug.